In a previous post I showed a simple way I can setup role assignments via terraform so I could configure the service principal I am using for Serverless360 to have permissions applied to it. This post is on this page = https://mikestephenson.me/2022/07/04/simple-azure-role-assignments-with-terraform/
In the real world you might have a lot of resource groups you want to apply permissions to and I wanted to show how you could use the setproduct function in terraform to help you do this.
To start with I have a slightly different locals this time. I have got a list of resource groups which I want to apply permissions to, I also have a list of all of the permissions I want to apply and then I will use the setproduct function to be able to create a combined list of all of the possible combinations of joining the two lists.
locals {
resource_group_list = [
"SL360_APIM",
"SL360_AppInsights"
]
default_roles = [
"Reader",
"Azure Event Hubs Data Sender"
]
resource_group_role_assignments = {for val in setproduct(local.resource_group_list, local.default_roles):
"${val[0]}-${val[1]}" => val}
}
The outcome of setproduct is I will have 4 items in my new list which will have the combo of each resource group and each permission.
Next I have a data element which will reference my service principal
data "azuread_service_principal" "sl360_businessapps" {
application_id = var.serviceprincipal_clientid_sl360_businessapps
}
This time for my resource group I will use the for_each function so I create a data reference to each resource group listed in my locals.
data "azurerm_resource_group" "resource_group" {
for_each = toset(local.resource_group_list)
name = each.value
}Finally my resource for the role assignment is slightly different to the previous example where this time the for_each is using the combined list which was created by the setproduct function and I will reference the resource group in the scope by using the name from the list the resource is using.
resource "azurerm_role_assignment" "sl360_businessapp_resourcegroup_role_assignment" {
for_each = local.resource_group_role_assignments
scope = data.azurerm_resource_group.resource_group[each.value[0]].id
role_definition_name = each.value[1]
principal_id = data.azuread_service_principal.sl360_businessapps.object_id
}Hopefully you can see that the script isnt really that much more complicated than before but I can still just add a role to the roles list or add a resource group to the resource group list and just apply the terraform and it will setup any new permissions. I can also remove permissions easily too.
The Full Script is here
locals {
resource_group_list = [
"SL360_APIM",
"SL360_AppInsights"
]
default_roles = [
"Reader",
"Azure Event Hubs Data Sender"
]
resource_group_role_assignments = {for val in setproduct(local.resource_group_list, local.default_roles):
"${val[0]}-${val[1]}" => val}
}
data "azuread_service_principal" "sl360_businessapps" {
application_id = var.serviceprincipal_clientid_sl360_businessapps
}
data "azurerm_resource_group" "resource_group" {
for_each = toset(local.resource_group_list)
name = each.value
}
resource "azurerm_role_assignment" "sl360_businessapp_resourcegroup_role_assignment" {
for_each = local.resource_group_role_assignments
scope = data.azurerm_resource_group.resource_group[each.value[0]].id
role_definition_name = each.value[1]
principal_id = data.azuread_service_principal.sl360_businessapps.object_id
}
